Health sector accounts for 43% of all UK data breaches, according to ICO data

Analysis by Egress shows human element is a cyber security weaknesses in healthcare

UK healthcare organisations suffered 2,447 data breaches and accounted for 43% of all reported incidents between January 2014 and December 2016 - almost four times more than the second-highest sector (local government)

The number of incidents rose year on year, with a 20% increase, from 184 incidents in the last quarter of 2014 to 221 in the last quarter of 2016

Of the 221 incidents occurring between October and December 2016, human error was the main cause. These types of incidents include: loss of paperwork (24%); data faxed/posted to the wrong participant (19%); data sent by email to the incorrect recipient (9%); and failure to redact data (5%)

The UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016, according to research by Egress Software Technologies.

In total, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported incidents in the time period.

By comparison, the second highest was local government, with 642 reported incidents – an 11% share.

The data, received from the Information Commissioner's Office, also shows that human error accounts for the almost half of these incidents across every sector.

In its analysis of the data, Egress found a clear spike in data breach incidents within UK healthcare organisations.

Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus

Comparing the last quarter - October-December - of the past three years, healthcare organisations were found to consistently top the list for data breach incidents.

Furthermore, the number of incidents rose year on year, with a 20% increase, from 184 incidents in the last quarter of 2014 to 221 in the last quarter of 2016.

Critically, the findings showed many of these incidents are attributed to human error, rather than external threat.

Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were:

Theft or loss of paperwork – 24%

Other principle 7 failure – 22%

Data faxed/posted to incorrect recipient – 19%

Data sent by email to the incorrect recipient – 9%

Failure to redact data – 5%

“Following the WannaCry exploit, the vulnerability of the healthcare industry, and the critical importance of improving its cybersecurity, has come into sharp focus,” said Tony Pepper, chief executive and co-founder of Egress Software Technologies.

“While it’s clear there is a security problem in healthcare; these figures show that it is as much about internal activity as external threat.

“There’s no doubt that someone inadvertently emailing a spreadsheet containing sensitive patient details to the wrong person isn’t as good a headline as a ransomware attack, but that does not diminish the threat it poses.”

While healthcare had the highest volume of incidents; other sectors are increasing more rapidly.

While it’s clear there is a security problem in healthcare; these figures show that it is as much about internal activity as external threat

Across all sectors, the total number of security incidents reported has increased by almost a third (32%) since 2014.

The courts and justice sector experienced the most-significant increase in incidents, a 290% hike since 2014, placing it in the top five worst-affected industries by the last quarter of 2016.

Other significant increases can be seen in the central government and finance industries, with 33% and 44% increases respectively.

The ‘human element’ – where internal staff have made mistakes – accounted for almost half of total data breach incidents: 44% in October-December 2014; 43% in 2015; and 49% last year.

Data shared in error is the single-highest contributor to breaches year on year resulting from human error, causing roughly a third of incidents - 31% in 2014; 34% in 2015; and 31% in 2016.

Meeting this challenge requires a combination of improved employee training and the communication of risks, and the deployment of the right technologies to minimise the number opportunities available for human error to take hold

“We are all aware that security incidents are rising, but many may not suspect how large a proportion of these are down to error and lack of control over sensitive data,” said Pepper.

“What the information from the ICO makes clear is that all businesses need to do more to better protect sensitive information.

“Meeting this challenge requires a combination of improved employee training and the communication of risks, and the deployment of the right technologies to minimise the number opportunities available for human error to take hold.”